b"     The Library of Congress\n-\n\n      Office of the Inspector General\n\n\n\n\n                      Office of the Librarian\n                              Development Office\n\n               Information Technology Review of the\n                    Raiser\xe2\x80\x99s Edge Software Program\n                            Review Report No. 2006-IT-302\n                                          December 2007\n\x0c               UNITED STATES GOVERNMENT                        LIBRARY OF CONGRESS\n               Memorandum\t                                     Office of the Inspector General\n\n\n\n\nTO:            James H. Billington                                          December 20, 2007\n               Librarian of Congress\n\nFROM:          Karl W. Schornagel\n               Inspector General\n\nSUBJECT:\t      Information Technology Review of the Raiser\xe2\x80\x99s Edge Software Program\n               Review Report No. 2006-IT-302\n\nThis transmits our final report on the Raiser\xe2\x80\x99s Edge Software Program. The Executive Summary\nbegins on page i, and complete findings and recommendations appear on pages 4 to 7.\n\nThe Development Office\xe2\x80\x99s response to our draft report is briefly summarized in the Executive\nSummary and in more detail after individual recommendations. Its complete response is included\nas an appendix to the report.\n\nBased on the written comments to the draft report, we consider all of the recommendations\nresolved. Please provide within 30 calendar days, an action plan addressing implementation of the\nrecommendations, including implementation dates, in accordance with LCR 211-6, Section 11.A.\n\nWe appreciate the cooperation and courtesies extended by the Development Office staff during the\nreview.\n\n\n\n\ncc:    Chief Operating Officer\n\x0cREVIEW REPORT NO. 2006-IT-302\t                                                                                              December 2007\n\n\n \x1bTABLE OF CONTENTS\n                \x1bExecutive Summary ............................................................................................. i\n\n                \x1bIntroduction...........................................................................................................1\n\n                \x1bObjectives, Scope, and Methodology.................................................................3\n\n                \x1bFindings And Recommendations.......................................................................4\n\n                     I.\t                                                                    .............................................4\n\n                          Recommendations....................................................................................5\n\n                          Management Response............................................................................5\n\n                     II.\t Certification and Accreditation is Required for Raiser\xe2\x80\x99s Edge ..........5\n\n                          Recommendation .....................................................................................6\n\n                          Management Response............................................................................6\n\n                     III. Reviews of the Server Logs Are Needed ..............................................6\n\n                          Recommendation .....................................................................................7\n\n                          Management Response and OIG Comments .......................................7\n\n                \x1bConclusion .............................................................................................................8\n\n                \x1bAppendix: Management Response ....................................................................9\n\n\n\n\n\n         THE LIBRARY OF CONGRESS \xe2\x80\xa2 Office of the Inspector General\n\x0cREVIEW REPORT NO. 2006-IT-302 \t                                                  December 2007\n\n\n\x1bEXECUTIVE SUMMARY\n                            The Development Office of the Library of Congress was\n                            established under the leadership of the present Librarian in\n                            1987. Through the office, the Library seeks support from\n                            individuals, corporations and foundations that wish to play a\n                            key role in sharing, cultivating and celebrating knowledge and\n                            creativity. Library fundraising focuses on support for special\n                            acquisitions, preservation of Library collections, cultural and\n                            educational outreach programs, and various other projects\n                            and activities. Private donations to the Library have totaled\n                            approximately $307 million since the Development Office was\n                            established. The office uses Raiser\xe2\x80\x99s Edge, a commercial\n                            software product, as a tool for managing fundraising\n                            activities, including tracking receipts and managing special\n                            event information.\n                            This report provides the results of our assessment of the\n                            application controls the Library uses in the operation of\n                            Raiser\xe2\x80\x99s Edge. We sought to determine whether the controls\n                            applied are commensurate with the level of protection\n                            required for the system\xe2\x80\x99s information and whether the system\n                            is operated according to Library of Congress Regulation (LCR)\n                            1620, Information Technology Security Policy of the Library of\n                            Congress and applicable Information Technology Security\n                            Directives. We concluded that the level of controls applied in\n                            the operation of Raiser\xe2\x80\x99s Edge appropriately corresponds to\n                            the level of protection required for the data the system\n                            processes. However, we identified actions that should be\n                            taken to enhance the protection of system information.\n                            Specifically, we recommend that:\n                                  \xe2\x80\xa2\n\n\n\n\n                                  \xe2\x80\xa2\t the Raiser\xe2\x80\x99s Edge system undergo the Certification and\n                                     Accreditation evaluation required by LCR 1620 as soon\n                                     as possible; and\n                                  \xe2\x80\xa2\t system managers regularly review Raiser\xe2\x80\x99s Edge\xe2\x80\x99s data\n                                     to identify errors or data that is being inappropriately\n                                     used.\n\n                            Management generally agreed with our findings and\n                            recommendations.\n\n\n                         THE LIBRARY OF CONGRESS \xe2\x80\xa2 Office of the Inspector General               i\n\x0cREVIEW REPORT NO. 2006-IT-302                                                              December 2007\n\n\n\x1bINTRODUCTION\n\n                           This report is the first in a series of Office of the Inspector\n                           General (OIG) reviews of various Library applications and\n                           systems. These reviews will focus on the effectiveness of\n                           management, operational, and technical controls that apply to\n                           a system\xe2\x80\x99s operation.\n\n                           Criteria guiding OIG\xe2\x80\x99s reviews include the Federal\n                           Information Security Management Act (FISMA), Office of\n                           Management and Budget (OMB) Circular A-130, the Library\xe2\x80\x99s\n                           Information Technology (IT) Security Policy, Information\n                           Technology Services (ITS) Security Directives, National\n                           Institute of Standards and Technology (NIST) Special\n                           Publications, Federal Information Processing Standards (FIPS),\n                           and best practices of the IT industry. Although the Library is\n                           not required by statute to follow some of these criteria, they\n                           represent best practices in the operation of an IT security\n                           program, and the Library has adopted many of them.\n\n                           The Library acquired Raiser\xe2\x80\x99s Edge in 1998 for $13,670. The\n                           annual fee for the associated maintenance agreement is\n                           currently $26,624, which includes licenses for 40 concurrent\n                           users.\n\n\n\n\n                           Raiser\xe2\x80\x99s Edge includes several modules to track fundraising\n                           donations, gifts, and events. The application also provides\n                           reports regarding administrative and managerial activities.\n\n                           Although the application has web capabilities, the Library\n                           does not use those features. Raiser\xe2\x80\x99s Edge has no automated\n                           interfaces with other automated Library systems for\n                           exchanging data or information.\n\n\n                           _____________________\n                           1Version 7.82, due at the end of 2007, will be available to the Library under\n                           the agreement.\n                                                                                              .\n\n\n\n\n                        THE LIBRARY OF CONGRESS \xe2\x80\xa2 Office of the Inspector General                          1\n\x0c    REVIEW REPORT NO. 2006-IT-302                                    December 2007\n\n    Data is generally entered into Raiser\xe2\x80\x99s Edge manually and\n    transferring data from Raiser\xe2\x80\x99s Edge to other programs is\n    likewise, a manual effort. There is currently no remote access\n    to the application from outside the Library.\n\n\n\n\n2   THE LIBRARY OF CONGRESS \xe2\x80\xa2 Office of the Inspector General\n\x0cREVIEW REPORT NO. 2006-IT-302                                                 December 2007\n\n\n\x1bOBJECTIVES, SCOPE, AND METHODOLOGY\n                           The objectives of this review were to review the input,\n                           processing, and output functions of Raiser\xe2\x80\x99s Edge to ensure\n                           that: (1) only complete, accurate, and valid data are entered\n                           and updated to the computer system, (2) processing of\n                           constituent gift, campaign, fund, and appeals information by\n                           the application is accurate, (3) processing efficiency meets\n                           management expectations, and (4) the integrity and\n                           confidentiality of data are maintained.\n\n                           We tested applicable system controls to assess whether they\n                           were functioning effectively. We also evaluated the control\n                           environment to determine whether control objectives had been\n                           achieved.\n\n                           During the course of our assessment, we:\n\n                           \xe2\x80\xa2       developed a thorough understanding of the control\n                           environment by reviewing applicable policies and procedures\n                           of the Development Office and the Raiser's Edge software\n                           application system;\n\n                           \xe2\x80\xa2      reviewed systems documentation for the Raiser's Edge\n                           application;\n\n                           \xe2\x80\xa2      interviewed key personnel involved with the input,\n                           processing, and output of the software application system; and\n\n                           \xe2\x80\xa2      reviewed relevant Library of Congress Regulations\n                           (LCRs), Code of Federal Regulations, and publications issued\n                           by the National Institute of Standards and Technology (NIST).\n\n                           We performed our fieldwork from June 2006 through\n                           February 2007 and from July 2007 through August 2007. Our\n                           work was interrupted due to staff turnover and other, higher\n                           priority projects.\n\n                           We conducted our review in accordance with Generally\n                           Accepted Government Auditing Standards issued by the\n                           Comptroller General of the United States (the \xe2\x80\x9cYellow Book\xe2\x80\x9d),\n                           2003 edition, and LCR 211-6, Functions, Authority, and\n                           Responsibility of the Inspector General.\n\n\n\n                        THE LIBRARY OF CONGRESS \xe2\x80\xa2 Office of the Inspector General             3\n\x0c    REVIEW REPORT NO. 2006-IT-302                                      December 2007\n\n\n    \x1bFINDINGS AND RECOMMENDATIONS\n    We concluded that the overall level of controls applied in the\n    operation of Raiser\xe2\x80\x99s Edge appropriately correspond to the\n    risks of protecting the system\xe2\x80\x99s data. However, weaknesses in\n    the application of some controls should be addressed to\n    provide greater security for the system\xe2\x80\x99s information.\n    Significant areas requiring attention include:\n\n       \xe2\x80\xa2\n       \xe2\x80\xa2   system certification and accreditation; and\n       \xe2\x80\xa2   system capabilities to assist data monitoring activities.\n\n    The following sections provide our assessments of these issues\n    and include three recommendations to strengthen the system\xe2\x80\x99s\n    security.\n        I. Automated\n\n\n\n\n    Among other things,\n\n\n\n\n4   THE LIBRARY OF CONGRESS \xe2\x80\xa2 Office of the Inspector General\n\x0cREVIEW REPORT NO. 2006-IT-302 \t                                                 December 2007\n\n\n\n\n                            Recommendations\n\n                            We recommend that:\n\n                            a.\t the Development Office document\n\n\n\n\n                            Management Response\n\n\n\n\n                               II.\t Certification and Accreditation \n\n                                    is Required for Raiser\xe2\x80\x99s Edge \n\n                            A certification and accreditation (C&A) evaluation has not\n                            been performed on the Raiser\xe2\x80\x99s Edge system as required by\n                            the Library\xe2\x80\x99s IT security policy, LCR 1620. However, the\n                            system is scheduled for such an evaluation at the end of this\n                            year.\n\n                            Under the IT policy, all Library service and infrastructure\n                            units are responsible for the C&A of all IT systems under their\n                            operational control every three years. The certification process\n                            identifies weaknesses in operating the application, system, or\n                            facility and evaluates the potential vulnerabilities of these\n                            weaknesses. Accreditation is the formal declaration by the\n                            Designated Approving Authority (DAA) that an automated\n                            information application, system, or facility is approved to\n                            operate in a particular security mode using a prescribed set of\n                            safeguards. Accreditation is a business decision balancing the\n                            costs of the level of safeguards and the level of need for\n                            confidentiality, availability, and integrity of the information.\n\n\n\n\n                         THE LIBRARY OF CONGRESS \xe2\x80\xa2 Office of the Inspector General              5\n\x0c    REVIEW REPORT NO. 2006-IT-302                                        December 2007\n\n    The C&A process ensures that the responsible manager with\n    oversight on the system has a clear picture of the risk involved\n    with that system, and the mitigation that can be employed to\n    minimize the risk to the system, the organization, and the\n    government agency.\n\n    The Office of the Inspector General interviewed the system\n    owner and performed an initial system characterization and\n    risk assessment of the Raiser\xe2\x80\x99s Edge system. Based on the\n    assessment, we concluded that the security threat for the\n    system was moderate. However, the risk assessment was not\n    performed at the level of detail normally involved with a\n    standard C&A evaluation. Such a standard evaluation of\n    Raiser\xe2\x80\x99s Edge may reveal system weaknesses that are not\n    identified in this report. We note that the Library has used the\n    application since 1998 without incident.\n\n    Recommendation\n\n    We recommend that the Director of the Development Office\n    ensure that the Raiser\xe2\x80\x99s Edge system undergo the Certification\n    and Accreditation evaluation required by LCR 1620 as soon as\n    possible.\n\n    Management Response\n\n    None\n      III. Reviews of the Server Logs Are Needed\n    The system\xe2\x80\x99s managers do not review Raiser\xe2\x80\x99s Edge system\n    transaction logs for suspect data events to identify data that is\n    being inappropriately accessed. This monitoring procedure is\n    not performed primarily because the system does not make\n    data conveniently available in logs for management review.\n    As a result, the reliability of the system\xe2\x80\x99s data is questionable.\n\n    It is common industry practice for management to review data\n    captured in system logs to ensure the integrity of a system.\n    Moreover, the ability to generate reports or logs is built into\n    the majority of modern applications. However, in Raiser\xe2\x80\x99s\n    Edge\xe2\x80\x99s case, this capability is not available at the application\n    level.\n\n    Nevertheless, it is still possible for the system\xe2\x80\x99s managers to\n    review some of Raiser\xe2\x80\x99s Edge data. Because Raiser\xe2\x80\x99s Edge\n\n\n6   THE LIBRARY OF CONGRESS \xe2\x80\xa2 Office of the Inspector General\n\x0cREVIEW REPORT NO. 2006-IT-302                                                 December 2007\n\n                           resides on a Microsoft Structured Query Language (SQL)\n                           server, system managers could review the system\xe2\x80\x99s data that\n                           resides in the transaction log built into the SQL server. SQL\n                           server utilities, including Lumigent Log Explorer and Audit\n                           DB, could assist system managers identify changed records\n                           and target suspect data events.\n\n                           Recommendation\n\n                           We recommend that system managers for Raiser\xe2\x80\x99s Edge\n                           regularly review the system\xe2\x80\x99s transaction logs for suspect data\n                           events to identify data that is being inappropriately accessed.\n\n                           Management Response and OIG Comments\n\n                           Management wished to clarify that the application data\n                           entered into the system was being reviewed daily. We\n                           acknowledge this fact; however, we reiterate our finding that\n                           system data events should be reviewed on a regular basis.\n\n\n\n\n                        THE LIBRARY OF CONGRESS \xe2\x80\xa2 Office of the Inspector General             7\n\x0c    REVIEW REPORT NO. 2006-IT-302                                      December 2007\n\n\n    \x1bCONCLUSION\n    This review of the controls applied in the operation of Raiser\xe2\x80\x99s\n    Edge is one in a series of OIG reviews of various Library\n    systems. These reviews are designed to assist Library\n    management by focusing on the effectiveness of management,\n    operational, and technical controls that apply to a system\xe2\x80\x99s\n    operation.\n\n    We concluded that the level of controls established for Raiser\xe2\x80\x99s\n    Edge\xe2\x80\x99s operation are commensurate with the level of\n    protection required for the information the system processes.\n    Moreover, staff responsible for entering, maintaining, and\n    protecting system data have a good understanding of the\n    system\xe2\x80\x99s procedures and responsibly ensure those procedures\n    are properly implemented.\n\n    However, we also concluded that weaknesses in the\n    application of some controls should be addressed to provide\n    greater security for the system\xe2\x80\x99s information. This report\n    provides recommendations to address significant weaknesses\n    that we identified. Most importantly, we recommended that\n    Raiser\xe2\x80\x99s Edge undergo a standard C & A evaluation as soon as\n    possible to confirm that the system\xe2\x80\x99s safeguards provide the\n    level of security needed to adequately protect the system\xe2\x80\x99s\n    information.\n\n\n\n\n    Major Contributors to This Report\n\n    Nicholas G. Christopher, Assistant Inspector General for Audits\n    John Kane, Senior Auditor\n    Lawrence Olmsted, Information Technology Specialist\n\n\n8   THE LIBRARY OF CONGRESS \xe2\x80\xa2 Office of the Inspector General\n\x0cREVIEW REPORT NO. 2006-IT-302 \t                                                                    December 2007\n\n\n\x1bAPPENDIX: MANAGEMENT RESPONSE\n\n\n\n\n  United States Government\n\n  Memorandum\n  _______________________________________________________________________________\n                                                      December 7, 2007\n\n  To:             \t Lawrence D. Olmsted\n                    Information Technology Officer\n                    Office of the Inspector General\n\n  From:            Larry D. Stafford\n                   Director of Special Programs\n\n\n  Subj:          Response to Raiser=s Edge Audit Report\n\n  In reference to finding 3, Review of Server Logs, management did not agree with the wording that\n  implied that the system=s manager did not review data to identify errors or that the data is being\n  inappropriately accessed. Management wants to confirm that the data is reviewed daily and felt that this\n  finding should be re-worded to better reflect this as a system data review as opposed to an application\n  data review.\n\n  In reference to finding 1, management agrees that                                       but that the\n  software version numbers were incorrectly stated in the report.\n\n\n\n\n                                      THE LIBRARY OF CONGRESS \xe2\x80\xa2 Office of the Inspector General                    9\n\x0c"